Blurring a Name Doesn't Anonymise a Face: GDPR

If you think blurring a name makes a face "anonymous" under GDPR, you're one bad subpoena away from a compliance nightmare. That's not hyperbole — it's a direct consequence of how EU courts have now clarified the relationship between pseudonymisation and personal data. And if you're an investigator, a compliance officer, or anyone who archives facial images in case files, this ruling should make you stop and reread your current data handling procedures.

The Myth That's Getting Investigators Into Trouble

Here's how it usually goes. An investigator pulls together a case file. They swap names for case codes. They remove identifying numbers. They maybe even blur a few fields in the document header. Then they share that file with a consultant, an analyst, or another agency — and they mentally file it under "de-identified." Done. GDPR problem solved.

Except it isn't. Not even close.

The misconception is understandable. GDPR makes a distinction between "personal data" and "anonymous data," and anonymous data falls outside its scope entirely. The logic follows: if I strip the name, I've moved toward anonymous. Enough stripping, and I'm out of scope. But that logic collapses the moment you understand what the law actually means by anonymisation — and more importantly, what it does not mean by pseudonymisation.

Pseudonymisation, as defined under GDPR, is the process of replacing directly identifying information with a code or alias — so that the data can no longer be attributed to a specific individual without additional information. That "additional information" might be a lookup table, an encryption key, or simply the investigator's own memory. The data isn't anonymous. It's just wearing a mask. And the person holding the mask is still responsible for the face beneath it.

What the EU Court Actually Decided

In a landmark clarification that sent ripples through data protection circles, the EU court addressed a deceptively simple question: when does pseudonymised data stop being personal data? The answer, it turns out, depends entirely on who's asking — and what tools they have available. This article is part of a series — start with Stress Test Facial Comparison Method Against Deepf.

The court confirmed what's known as the "reasonably likely" standard. Whether pseudonymised data constitutes personal data hinges on whether the controller can realistically re-identify the individual given the technical, organisational, and legal measures in place. This isn't about theoretical possibility. It's about practical probability — which means the same dataset can simultaneously be personal data for one party and non-personal for another.

"Whether pseudonymised data constitutes personal data depends on a contextual assessment of whether reidentification is 'reasonably likely' for the recipient based on the available technical, organisational and legal measures that prevent reidentification." — Skadden, Arps, Slate, Meagher & Flom LLP

Think about what this means in practice. An investigator who archives pseudonymised facial images — with the pseudonymisation key stored on their own server — is unambiguously handling personal data. They can re-identify the subject. The key exists. GDPR applies in full. A third-party consultant receiving those same images, with no access to the key and no reasonable means of re-identification, may not be handling personal data from their perspective. Same images. Different legal reality depending on who's holding them.

This is not a loophole. It's a design feature of the regulation — and it places the heaviest burden exactly where it belongs: on the original controller who created the data and retains the ability to unmask it.

Why Faces Are a Special Case (Literally)

Now add facial images into this picture, and the compliance obligation gets significantly heavier. A face isn't just identifying information — it's biometric data, and GDPR treats biometric data used for identification purposes as a special category requiring explicit legal basis to process. Article 9 of the regulation lists it alongside health data, genetic data, and data revealing racial or ethnic origin.

Here's the part that trips most people up: stripping the name from a facial image does not change the nature of the image. The face itself — the geometry of the eyes, the distance between the cheekbones, the specific topology of the jawline — is inherently identifying. It is, quite literally, a biometric fingerprint of the person's identity. You cannot pseudonymise a face by removing the label on the folder it lives in.

This matters enormously for anyone using AI-assisted facial comparison tools in investigative workflows. Understanding how facial recognition biometrics actually encode and store identity data makes the compliance picture considerably clearer — because it explains why a facial image is never truly "just an image" from a regulatory standpoint. The identifying information is baked into the pixels. Previously in this series: Eu Digital Omnibus Biometric Evidence Standards.

The EU's AI Act compounds this. AI systems that use biometric data for identification or categorisation are classified as high-risk applications, meaning they require conformity assessments before deployment and ongoing monitoring throughout their use. So if you're running facial comparison on a pseudonymised case file, you may be triggering obligations under two separate EU instruments simultaneously — GDPR and the AI Act. That's a compliance double-tap most investigators haven't prepared for.

The Transparency Obligation Nobody Talks About

Here's the piece of this ruling that genuinely surprises most compliance professionals. The original controller — the investigator, the agency, the firm that created the pseudonymised dataset — must inform data subjects about foreseeable recipients of their data at the time of collection. Not after. Not eventually. At the moment you capture the data.

This obligation doesn't evaporate just because you've replaced names with case codes before sharing. The court was explicit: as the controller, you must tell data subjects who their data might be disclosed to, regardless of whether those third-party recipients can identify them. Pseudonymisation doesn't give you a pass on transparency. It just shifts the privacy risk — and documentation burden — entirely onto you.

Think about what that means for a typical investigative workflow. You capture facial images during surveillance. You pseudonymise the file. You share it with three external analysts. Under this ruling, you were obligated to flag the possibility of that disclosure at the point of capture — not as a vague "may be shared with third parties" clause, but with enough specificity that a data subject could understand who might receive their information. Most case management systems weren't designed with this in mind. Most investigators haven't thought about it at all.

The locked-box analogy is useful here. Imagine you're mailing a locked box to a colleague. Inside the box is a person. Your colleague doesn't have the key, so from their perspective, they have no idea who's in there. But you know exactly who it is. You sealed it. You addressed the envelope. The person inside had a right to know the box was being mailed — before you locked the lid.

What You Should Do Before a Regulator Asks

The court's ruling isn't just a legal curiosity. It's a checklist disguised as jurisprudence. For anyone handling pseudonymised facial images — in case files, investigation archives, or AI comparison workflows — the practical implications break down cleanly.

Document your controls now. For every pseudonymised dataset containing biometric images, you need a written record of the technical and organisational measures that make re-identification "not reasonably likely" for each category of recipient. Not a generic policy. A specific, defensible assessment tied to the actual dataset and the actual recipients.

Audit your transparency records. Go back to your data collection procedures and ask honestly: did we inform subjects about foreseeable disclosures? If the answer is "not really" or "it was in the terms," you have a gap that needs closing — and a policy that needs rewriting before the next investigation begins.

Schedule a reassessment. What's technically improbable today may be easily achievable in eighteen months. AI capabilities are advancing fast enough that a re-identification barrier that seemed solid in 2023 may be paper-thin by 2025. The court's "reasonably likely" standard isn't frozen in time — it moves with the technology.

Look, nobody's saying this is simple. GDPR was always more demanding than its critics give it credit for, and biometric data has always sat at the regulation's most demanding edge. But the investigators who get this wrong aren't usually doing so maliciously. They're doing so because they genuinely believed that removing a name removed a legal obligation. The EU court just made clear, in unambiguous terms, that it doesn't.

The face was always the data. The name was just the label on the jar.